Thoughts on Offensive and Defensive Cybersecurity

The Benefits of Programming in Digital Forensics

Though not a strict requirement, examination of the source code becomes an asset for agencies who use open source applications. Firstly, by understanding the code of their applications, code literate agencies gain the opportunity to create tools, packages, and scripts for their own purposes. For example, they can use languages like python, ruby, or perl to build forensic software for evolving circumstances. Furthermore, by comprehending source code, investigators can employ certain applications with greater insight and potency. For instance, tools like reg ripper that are written in perl demand some understanding of their written mechanics to use to full effect. Moreover, by studying the source code, investigators gain the insight necessary to defend their testing methods in court. If they are pressed to prove the reliability of their findings, they can clearly articulate the soundness of the forensic results, keeping in mind the concrete scope of the tool. In other words, by examining the source code, they discard layers of abstraction that would create uncertainty with a closed-source tool. Additionally, agencies can report more bugs to vendors and developers if they inspect the source code of their tools. Consequently, they can more easily add to the quality assurance of open source products than they could if using proprietary tools.

This means that agencies that have examiners who lack understanding in programming have setbacks to compensate for. They would have to rely on proprietary software that, at best, has been tested by third parties like the CFTT. Therefore, they would also require more overhead to pay for proprietary tools. Thus, their agencies become less cost efficient and less self-reliant.

Programming skill is ideal for digital forensic investigators. By having skills in programming, FEs gain the aforementioned advantages as it concerns open source tools. Additionally, they develop a more thorough understanding of assets and security controls. Consequently, they can conduct incident response and investigations with greater accuracy and aptitude. For instance, they may spot vulnerabilities in applications to test if a hacker used bad code as a vector.

Fortunately, if we ever had only a single tool to work with that happened to be proprietary, there are a few things to do to test it. To satisfy the court, an expert witness could evaluate the proprietary code without divulging it. Furthermore, third parties like the CFTT could evaluate the tool if the vendor published design specifications.